The answer is not technology. There are many technical challenges to create a Java derivative suitable for the development of safety-critical software. These challenges make this task interesting for a group of experts. Yet, there is no technical need for another programming language in the safety-critical domain. Indeed today there are plenty of safety-critical systems developed using a plethora of technologies and successfully programmed in Ada 83/Ada 95 and C/C++.

The argument goes like this: Today it is difficult to find Ada and
C/C++ developers, while there are plenty of Java programmers out there
that will be able to pick up a safety-critical Java variant quickly.
really? This reminds me of the time I attended the Java One conference
in 2000 where employers were looking for Java developers with 10 years
of experience (Java was introduced in 1995).

Finding Ada and C/C++ developers cannot be the issue. We are not
talking about ancient Greek. We are talking about a programming
language. Take Ada for instance. There are 20,000 unique users in the
last two years that have downloaded GNAT, the Ada tool chain from AdaCore “Libre” web site
to learn Ada or develop free software in Ada. This number does not
include developers that have downloaded GNAT from the Free Software
Foundation.

More anecdotally, in November 2007, the National Museum of Computing
sponsored an historical code-breaking competition to celebrate the
rebuild of Colossus Mark 2 at Bletchley Park.
Colossus, the first programmable digital computer, was used in
world-war II to crack the codes created by the Lorenz cipher machines
used by the Nazis. Programmers and code breakers were invited to try to
beat the rebuilt Colossus in cracking the 1938 Lorenz SZ42 encrypted
message. Joachim Schüth, an Ada novice, was able to decipher the code and beat Colossus with a program written in Ada after having learnt Ada in his spare time.

What problem would a Java variant for safety-critical systems solve?
In the author’s opinion: none. Confining the issue of developing
safety-critical software to the programming language alone is a bit
like saying that the building of skyscrapers reduces to the type of
concrete and steel used. Yes, you cannot build a safe skyscraper with
poor quality steel and concrete, so a programming language with safety
concerns built-in is necessary to build safety-critical software.
Necessary does not mean sufficient, though.

In the author’s opinion the real issue is the shortage of expertise.
A good developer of safety-critical software is hard to come by, and
Java, C/C++, or Ada alone cannot address this issue. From requirements
capture, to safety engineering, to system modeling, to software design,
development, and verification, to configuration management and quality
assurance there are many activities and know-hows that participate in
the creation of safety-critical software. Reducing these activities to
the programming language and coding is wishful thinking.

To summarize, the illusion is that by making small changes to Java
we (a) will be able to create a language suitable for safety critical
systems and (b) we will be able to draw from the large pool of Java
developers to develop safety-critical systems. Both of these are
pitfalls. (a) is like saying that by making small changes to a Toyota
you can create a Ferrari, while (b) is saying that once we have done
(a) we can take the large pool of Toyota drivers and use them to drive
Ferraris in a Formula 1 race. Most of hese drivers don’t have the
appropriate skill set.

The shortage of expertise in the design and development of
safety-critical software is a real and difficult problem. This is
compounded by the fact that we need a world-wide pool of
safety-critical software expertise in the thousands, not in the
millions.

Franco is co-founder and General Director of AdaCore, the company
that develops and offers commercial support for GNAT Pro, the Free
Software environment for Ada 2005, Ada 95, and Ada 83. AdaCore is a 100% Free Software Company basing its business model
on high-quality support and subscription-based pricing. AdaCore
provides Ada solutions to customers in the avionics, air traffic
management, military, railways, and space industries, amongst others. Franco Gasperoni has an engineering degree from the Ecole des
Mines de Paris, France and a PhD in Computer Science from New York
University, USA. While at the Ecole des Mines, Franco worked with
Maurice Allais, the French Economics Nobel prize winner. Franco has lectured and conducted research at New York University and at the
Ecole des Telecommunications (ENST), in Paris. Franco has published
over 25 papers.

2 Comments

I do not think only problem shortage of developers. Most system composed of different parts with different safety, or real time requirements. Java is very powerfull in non safety critical parts of the system. By using java in whole system you can reduce your time to market and become more compatative. Using different languages within a system also increasing its maintenance and development cost. Today the gap between real time domain and IT domain is decreasing rapidly and big companies like IBM are making a lot of investment on Java and try to penatrate Java in real time and safety critical domain. I do not think lanuage itself is real issue here. I think a computer science graduate can easily switch between different domains and languages.

It’s difficult to understand exactly what Franco is saying, and it’s hard to take his anti-Java statements seriously given the conflict of interest he has due to his relationship with AdaCore. However, I agree with him — if this is indeed his point — that a shortage of C or Ada developers is not the primary motivation for safety-critical Java. However, his statement that safety-critical Java would solve no problems whatsoever is ridiculous. There are sound technical reasons for choosing the Java language, such as type safety, the definite assignment feature, a strict adherence to its specification, and more. These features make the language safer and thus more appropriate for safety-critical applications than, say, C. There are other factors that make Java attractive, too, such as an abundance of existing tools and source code to build on. And as oguz pointed out, a safety-critical system may have non-safety-critical components implemented in Java, so why be forced to mix languages? It would only add complexity to an already complex system.

Wind River Blog Network

The Wind River Blog Network is made up of a variety of voices: executives, technologists and industry enthusiasts. We hope to foster conversations and encourage the sharing of insights regarding the evolving landscape of intelligent, connected systems with our ecosystem of customers, partners and colleagues.